Previous PDF

swipe to navigate

Enterprise identity management systems bring many benefits to large organizations and are increasingly a required feature in today's regulatory environment. Some of the important features of enterprise IdM include:

  • Improved user productivity, due to reduced wait for new and updated systems access and fewer authentication problems.
  • Lower security administration cost, as the bulk of user management is automated or delegated to business users and password resets are either eliminated or resolved with self-service.
  • Enhanced security, as inappropriate access is terminated quickly and reliably.
  • Regulatory compliance, including the ability to audit access rights globally, to ensure that only appropriate users have access to sensitive systems and data.

Unfortunately, despite two generations of user administration technology, enterprise identity management systems from many vendors remain difficult to deploy and costly to maintain. Many IdM projects end either in stripped-down installations or are entirely abandoned due to these factors.

This paper discusses the main challenges encountered by large organizations in deploying enterprise identity management systems, and offers solutions to help overcome each challenge.

The solutions offered in this paper are implemented in the Hitachi ID Identity and Access Management Suite.

Enterprise Identity Management

Enterprise Identity and Access Management (IAM) is defined as a set of processes and technologies to effectively and consistently manage modest numbers of users and entitlements across multiple systems. In this definition, there are typically significantly fewer than a million users, but users typically have access to multiple systems and applications.

Typical enterprise identity and access management scenarios include:

  • Password synchronization and self-service password reset.
  • Management of other credentials, such as one-time password devices, security questions, smart phone apps, biometrics, smart cards, cryptographic certificates, etc.
  • Identity and access management (IAM) which can create/delete identities and assign/revoke entitlements, in response to processes such as data synchronization, a request portal, approval flow, access reviews ("governance") and policy enforcement.
  • Group management, to create, manage and delete security groups and mail distribution lists.
  • Single sign-on -- which may consist of Kerberos, federated access (SAML or similar), web SSO (web form stuffing or server-side agents) and enterprise SSO (client-side form stuffing).
  • Strong authentication, combining multiple credentials with contextual selection of suitable login mechanisms.

Adjacent problem areas to Identity and access management (IAM) include Privileged access management (PAM) and directories.

Enterprise IAM presents different challenges than identity and access management in Extranet (B2C or B2B) scenarios:

Characteristic Enterprise IAM (typical) Consumer IAM (typical)
Number of users

under 1 million

over 1 million
Number of systems and directories

2 -- 10,000

1 -- 2
Users defined before the IAM system is deployed


Frequently only new users
ID mapping

Existing accounts may have different IDs on different systems.

Single, consistent ID per user.
Data quality

Orphan and dormant accounts are common. Data inconsistencies between systems.

Single or few objects per user. Consistent data. Dormant accounts often a problem.
User diversity

Many users have unique requirements.

Users fit into just a few categories.

In short, Enterprise IAM has fewer but more complex users. Consumer IAM has more users and higher transaction rates, but less complexity.

Previous PDF

Comment via LinkedIn